trusted computing - tu dresden › studium › kmb › ws2018 › 12-trusted-c… · tpm life...
TRANSCRIPT
Department of Computer Science Institute for System Architecture, Operating Systems Group
CARSTEN WEINHOLD
TRUSTED COMPUTING
TU Dresden Trusted Computing
THIS LECTURE ...
!2
■ Today: Trusted Computing Technology
■ Lecture discusses basics in context of TPMs
■ More theoretical concepts also covered in lecture „Distributed Operating Systems“
■ Things you should have heard about:
■ How to use asymmetric encryption
■ Concept of digital signatures
■ Collision-resistant hash functions
TU Dresden Trusted Computing
L4
AN.ON
INTRODUCTION
!3
TPM
? ?
? ?
TU Dresden Trusted Computing
ANONYMITY
!4
ISP
Proxy Server
TU Dresden Trusted Computing
ANONYMITY
!5
ISP
ProxyMIX
Server
Server
TU Dresden Trusted Computing
ANONYMITY
!6
ISP
MIX MIX
Server
Server
TU Dresden Trusted Computing
ANONYMITY
!7
AN.ON? ?
? ?
TU Dresden Trusted Computing
IDEA
!8
MIX
Do you spy?
No#/G«@ñ
TU Dresden Trusted Computing
SYSTEM LAYERS
!9
AN.ON MIX
OS
Boot Loader
BIOS
Hardware
TU Dresden Trusted Computing
TPM
!10
http://www.infineon.com/export/sites/default/media/press/Image/press_photo/TPM_SLB9635.jpg
TU Dresden Trusted Computing
TPM
!11
PCR := SHA-1( PCR | X )
Platform Configuration Register
TU Dresden Trusted Computing
OS
Boot Loader
BIOS
BOOTING + TPM
!12
PCR
OS
Boot Loader
BIOS
OS
Boot Loader
BIOS
AN.ON MIXAN.ON MIXAN.ON MIX
4490EF83
TU Dresden Trusted Computing
ATTESTATION
!13
MIX
Remote Attestation
4490EF83✹
TU Dresden Trusted Computing
ARCHITECTURE
!14
AN.ON
TPM
? ?
? ?
Linux
Windows
TU Dresden Trusted Computing
AFC937A0
MONOLITHIC
!15
Monolithic OS
MIX
TU Dresden Trusted Computing
4490EF83
L4/AN.ON
!16
MIX
L4.Fiasco
TPM Driver
Memory
Network Stack
Network Driver
GUI
USB Driver
L4Linux
TU Dresden Trusted Computing
L4/AN.ON
!17
TU Dresden Trusted Computing
L4/AN.ON
!18
TU Dresden Trusted Computing
L4/AN.ON
!19
TU Dresden Trusted Computing
L4/AN.ON
!20
L4
AN.ON
TPM
? ?
? ?
TU Dresden Trusted Computing
THE TRUSTED PLATFORM MODULE
!21
TU Dresden Trusted Computing
TPM HARDWARE
!22
http://www.heise.de/bilder/61155/0/0
■ TPMs are tightly integrated into platform:
■ Soldered on motherboards
■ ... or built into chipset / SoC
■ Tamper resistant casing
■ Widely deployed:
■ Business notebooks
■ Office desktop machines
■ Windows 8/10/RT tablets
TU Dresden Trusted Computing
TPM OVERVIEW
!23
■ TPM is cryptographic coprocessor:
■ RSA (encryption, signatures), AES (encryption), SHA-1 (cryptographic hashes)
■ Other crypto schemes (e.g., DAA)
■ Random number generator
■ Platform Configuration Registers (PCRs)
■ Non-volatile memory
■ TPMs are passive devices!
TU Dresden Trusted Computing
TPM SPECS■ TPMs specified by Trusted Computing
Group [2]
■ Multiple hardware implementations
■ TPM specifications [3,4] cover:
■ Architecture, interfaces, security properties
■ Data formats of input / output
■ Schemes for signatures, encryption, ...
■ TPM life cycle, platform requirements
!24
TU Dresden Trusted Computing
TPM & PLATFORM
!25
CPURAM
TPM
BIOS
CRTM
Chipset
Platform
Reset Init PCRs
TU Dresden Trusted Computing
TPM IDENTITY■ TPM identified by Endorsement Key EK:
■ Generated in manufacturing process
■ Certified by manufacturer
■ Unique among all TPMs
■ Can only decrypt, serves as root of trust
■ Creating entirely new EK possible (e.g., for use in corporate environments)
■ Private part of EK never leaves TPM!26
TU Dresden Trusted Computing
KEY HIERARCHY■ All keys except for EK are part of key
hierarchy below Storage Root Key SRK:
■ SRK created when user „takes ownership“
■ Key types: storage, signature, identity, ...
■ Storage keys are parent keys at lower levels of hierarchy (like SRK does at root level)
■ Keys other than EK / SRK can leave TPM:
■ Encrypted under parent key before exporting
■ Parent key required for loading and decrypting
!27
TU Dresden Trusted Computing
KEY HIERARCHY
!28
EK
SKSK
AIKAIK
AIK
SK
AIKs required for Remote Attestation
SigK
SRK
TU Dresden Trusted Computing
AIK
!29
■ Special key type for remote attestation: Attestation Identity Key (AIKs)
■ TPM creates AIK + certificate request
■ Privacy CA checks certificate request, issues certificate and encrypts under EK
■ TPM can decrypt certificate using EK
■ AIK certificate:
■ „This AIK has been created by a valid TPM“
■ TPM identity (EK) cannot be derived from it
TU Dresden Trusted Computing
Application
OS
Boot Loader
BIOS
BOOTING + TPM
!30
PCR
OS
Boot Loader
BIOS
OS
Boot Loader
BIOS
Application Application
Authenticated Booting
4490EF83
TU Dresden Trusted Computing
AIKS & QUOTES
!31
System
4490EF83
AE58B991
4490EF83
Challenger
✹4490EF83AE58B991
TPM_Quote(AIK, Nonce, PCR)
✔Remote Attestation with Challenge/Response
TU Dresden Trusted Computing
SEALED MEMORY
!32
■ Applications require secure storage
■ TPMs can lock data to PCR values:
■ TPM_Seal():
■ Encrypt user data under specified storage key
■ Encrypted blob contains expected PCR values
■ TPM_Unseal():
■ Decrypt encrypted blob using storage key
■ Compare current and expected PCR values
■ Release user data only if PCR values match
TU Dresden Trusted Computing
SEALED BLOBS
!33
Only the TPM_SEALED_DATA structure is encrypted
TU Dresden Trusted Computing
FRESHNESS■ Sealed data is stored outside the TPM
■ Vulnerable to replay attacks:
■ Multiple versions of sealed blob may exist
■ Any version can be passed to TPM
■ TPM happily decrypts, if crypto checks out
■ Problem:
■ What if sealed data must be current?
■ How to prevent use of older versions?!34
TU Dresden Trusted Computing
COUNTERS■ TPMs provide monotonic counters
■ Only two operations: increment, read
■ Password protected
■ Prevent replay attacks:
■ Seal expected value of counter with data
■ After unseal, compare unsealed value with current counter
■ Increment counter to invalidate old versions!35
TU Dresden Trusted Computing
TPM SUMMARY■ Key functionality of TPMs:
■ Authenticated booting
■ Remote attestation
■ Sealed memory
■ Problems with current TPMs:
■ No (sensible) support for virtualization
■ Can be slow (hundreds of ms / operation)
■ Linear chain of trust
!36
TU Dresden Trusted Computing
TPMS IN NIZZA ARCHITECTURE
!37
TU Dresden Trusted Computing
App A
OS
Boot Loader
BIOS
BOOTING + TPM
!38
PCR
OS
Boot Loader
BIOS
OS
Boot Loader
BIOS
15FE7860
App A App B App BApp BApp A
83E2FF9A
TU Dresden Trusted Computing
MULTIPLE APPS
!39
■ Use one PCR per application:
■ Application measurements independent
■ Number of PCRs is limited (TPM 1.2: max 24)
■ Use one PCR for all applications:
■ Chain of trust / application log grows
■ All applications reported in remote attestation (raises privacy concerns)
■ All applications checked when unsealing
TU Dresden Trusted Computing
EXTENDING TPMS■ Idea: per-application PCRs in software:
■ Measure only base system into TPM PCRs (microkernel, basic services, TPM driver, ...)
■ „Software TPM“ provides „software PCRs“ for each application
■ More flexibility with „software PCRs“:
■ Chain of trust common up to base system
■ Extension of chains of trust for applications fork above base system
■ Branches in Tree of Trust are independent!40
TU Dresden Trusted Computing
SOFTWARE PCRS
!41
Microkernel
GUINamesUser Auth
Secure Storage
I/O Support
TPM Driver
TPM Multiplexer
Loader
PCR: 4490EF83
PCR: 4490EF83 vPCR(A): 6B17FC28 vPCR(B): 153B9D14
App BApp CApp A
TU Dresden Trusted Computing
TPM MULTIPLEX’D
!42
■ Operations on software PCRs:
■ Seal, Unseal, Quote, Extend
■ Add_child, Remove_child
■ Performed using software keys (AES, RSA)
■ Software keys protected with real TPM
■ Link between software PCRs and real PCRs: certificate for RSA signature key
■ Implemented for L4: TPM multiplexer Lyon
TU Dresden Trusted Computing
A SECOND LOOK AT VPFS
!43
TU Dresden Trusted Computing
Sealed Memory
VPFS SECURITY
!44
Inode File
FileFile File File
Dir
Dir
Dir
83E2FF9A
TU Dresden Trusted Computing
VPFS TRUST
!45
Microkernel
VPFS
TPM Driver
TPM Multiplexer
L4LinuxApp VPFS can access secrets only,
if its own vPCR and the vPCR for the app match the respective expected values.
TU Dresden Trusted Computing
VPFS SECURITY
!46
■ VPFS uses sealed memory:
■ Secret encryption key
■ Root hash of Merkle hash tree
■ Second use case is remote attestation:
■ Trusted backup storage required, because data in untrusted storage can be lost
■ Secure access to backup server needed
■ VPFS challenges backup server: „Will you store my backups reliably?“
TU Dresden Trusted Computing
A CLOSER LOOK AT THE WHOLE PICTURE
!47
TU Dresden Trusted Computing
NITPICKER
!48
TU Dresden Trusted Computing
TRUST NITPICKER
!49
■ User cannot just trust what he / she sees on the screen!
■ Solution:
■ Remote attestation
■ For example with trusted device:
■ User’s smartphone sends nonce to PC
■ PC replies with quote of nonce + PCR values
■ User can decide whether to trust or not
TU Dresden Trusted Computing
A SECOND LOOK AT THE CHAIN OF TRUST
!50
TU Dresden Trusted Computing
CRTM■ When you press the power button ...
■ First code to be run: BIOS boot block
■ Stored in small ROM
■ Starts chain of trust:
■ Initialize TPM
■ Hash BIOS into TPM
■ Pass control to BIOS
■ BIOS boot block is Core Root of Trust for Measurement (CRTM)
!51
TU Dresden Trusted Computing
CHAIN OF TRUST■ Discussed so far:
■ CRTM & chain of trust
■ How to make components in chain of trust smaller
■ Observation: BIOS and boot loader only needed for booting
■ Question: can chain of trust be shorter?
!52
App
OS
Boot Loader
BIOS
Hardware
App
TU Dresden Trusted Computing
DRTM■ CRTM starts chain of trust early
■ Dynamic Root of Trust for Measurement (DRTM) starts it late:
■ Special CPU instructions (AMD: skinit, Intel: senter)
■ Put CPU in known state
■ Measure small „secure loader“ into TPM
■ Start „secure loader“
■ DRTM: Chain of trust can start anywhere!53
TU Dresden Trusted Computing
DRTM
DRTM: OSLO■ First idea: DRTM put right
below OS
■ Smaller TCB:
■ Large and complex BIOS / boot loader removed
■ Small and simple DRTM bootstrapper added
■ Open Secure Loader OSLO: 1,000 SLOC, 4KB binary size [6]
!54
App
OS
Boot Loader
BIOS
Hardware
App
TU Dresden Trusted Computing
DRTM CHALLENGE
■ DRTM remove boot software from TCB
■ Key challenges:
■ „Secure loader“ must not be compromised
■ Requires careful checking of platform state
■ Secure loader must actually run in locked RAM, not in insecure device memory
■ DRTM can also run after booting OS
!55
TU Dresden Trusted Computing
DRTM: FLICKER■ New DRTM can be
established anytime
■ Flicker [7] approach:
■ Pause legacy OS
■ Execute critical code as DRTM using skinit
■ Restore CPU state
■ Resume legacy OS
!56
App
Legacy OS
Boot Loader
BIOS
Hardware
App
TU Dresden Trusted Computing
DRTM: FLICKER
!57
App
Legacy OS
Hardware
App
Flicker Applet
TU Dresden Trusted Computing
FLICKER DETAILS■ Pause untrusted legacy OS, stop all CPUs
■ Execute skinit:
■ Start Flicker code as „secure loader“
■ Unseal input / sign data / seal output
■ Restore state on all CPUs
■ Resume untrusted legacy OS
■ If needed: create quote with new PCRs
■ TCB in order of only few thousand SLOC!!58
TU Dresden Trusted Computing
FLICKER LIMITS
!59
■ Problems with Flicker approach:
■ Untrusted OS must cooperate
■ Only 1 CPU active, all other CPUs stopped
■ Secure input and output only via slow TPM functionality (seal, unseal, sign)
■ Works for some server scenarios (e.g., handling credentials)
■ Client scenarios require more functionality (e.g., trusted GUI for using applications)
TU Dresden Trusted Computing
ISA EXTENSIONS■ Intel Software Guard Extensions (SGX): [9]
■ Secure enclaves: protected regions of address space for code, stack, heap
■ Sealed memory and remote attestation
■ ARM TrustZone: [8]
■ New processor mode for critical software
■ Private memory partition (accessible only in secure processor mode)
■ Can be used to implement software TPM!60
TU Dresden Trusted Computing
MOBILE DEVICES■ Simple implementations in smartphones, etc.
■ Non-modifiable boot ROM loads OS
■ OS is signed with manufacturer key, checked
■ Small amount of flash integrated into SoC
■ Cryptographic co-processor: software can use (but not obtain) encryption key
■ Not open: closed or secure boot instead of authenticated booting
!61
TU Dresden Trusted Computing
WHAT’S NEXT?
!62
■ January 22, 2019:
■ Lecture „Resilience“
TU Dresden Security Architectures
References■ [1] http://www.heise.de/security/Anonymisierungsnetz-Tor-abgephisht--/news/meldung/95770
■ [2] https://www.trustedcomputinggroup.org/home/
■ [3] https://www.trustedcomputinggroup.org/specs/TPM/
■ [4] https://www.trustedcomputinggroup.org/specs/PCClient/
■ [5] Carsten Weinhold and Hermann Härtig, „VPFS: Building a Virtual Private File System with a Small Trusted Computing Base“, Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008, 2008, Glasgow, Scotland UK
■ [6] Bernhard Kauer, „OSLO: Improving the Security of Trusted Computing“, Proceedings of 16th USENIX Security Symposium, 2007, Boston, MA, USA
■ [7] McCune, Jonathan M., Bryan Parno, Adrian Perrig, Michael K. Reiter, and Hiroshi Isozaki, "Flicker: An Execution Infrastructure for TCB Minimization", In Proceedings of the ACM European Conference on Computer Systems (EuroSys'08), Glasgow, Scotland, March 31 - April 4, 2008
■ [8] http://arm.com/products/processors/technologies/trustzone/index.php
■ [9] http://software.intel.com/en-us/intel-isa-extensions#pid-19539-1495
!63